10 files changed, 190 insertions, 36 deletions

diff --git a/doc/administration/auth/atlassian.md b/doc/administration/auth/atlassian.md
index 8525b3e9b98..cbfb4921e14 100644
--- a/doc/administration/auth/atlassian.md
+++ b/doc/administration/auth/atlassian.md
@@ -5,7 +5,7 @@ group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
 ---
 
-# Atlassian OmniAuth Provider **(FREE SELF)**
+# Use Atlassian as an OAuth 2.0 authentication provider **(FREE SELF)**
 
 To enable the Atlassian OmniAuth provider for passwordless authentication you must register an application with Atlassian.
 
@@ -77,7 +77,7 @@ To enable the Atlassian OmniAuth provider for passwordless authentication you mu
 
 1. For the changes to take effect:
    - If you installed using the Linux package, [reconfigure GitLab](../restart_gitlab.md#reconfigure-a-linux-package-installation).
-   - If you self-compiled your installation, [restart GitLab](../restart_gitlab.md#installations-from-source).
+   - If you self-compiled your installation, [restart GitLab](../restart_gitlab.md#self-compiled-installations).
 
 On the sign-in page there should now be an Atlassian icon below the regular sign in form. Select the icon to begin the authentication process.
 
diff --git a/doc/administration/auth/cognito.md b/doc/administration/auth/cognito.md
index 8c8abf1524f..554b3d776ac 100644
--- a/doc/administration/auth/cognito.md
+++ b/doc/administration/auth/cognito.md
@@ -5,10 +5,10 @@ group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
 ---
 
-# Amazon Web Services Cognito **(FREE SELF)**
+# Use AWS Cognito as an OAuth 2.0 authentication provider **(FREE SELF)**
 
-Amazon Cognito lets you add user sign-up, sign-in, and access control to your GitLab instance.
-The following documentation enables Cognito as an OAuth 2.0 provider.
+Amazon Web Services (AWS) Cognito lets you add user sign-up, sign-in, and access control to your GitLab instance.
+The following documentation enables AWS Cognito as an OAuth 2.0 provider.
 
 ## Configure AWS Cognito
 
diff --git a/doc/administration/auth/crowd.md b/doc/administration/auth/crowd.md
index 08c1f5e7513..6ced9f844cd 100644
--- a/doc/administration/auth/crowd.md
+++ b/doc/administration/auth/crowd.md
@@ -5,7 +5,7 @@ group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
 ---
 
-# Atlassian Crowd OmniAuth provider (deprecated) **(FREE SELF)**
+# Use Atlassian Crowd as an OAuth 2.0 authentication provider (deprecated) **(FREE SELF)**
 
 WARNING:
 This feature was [deprecated](https://gitlab.com/gitlab-org/gitlab/-/issues/369117) in GitLab 15.3 and is planned for
@@ -78,7 +78,7 @@ this provider also allows Crowd authentication for Git-over-https requests.
 1. Change `YOUR_APP_PASSWORD` to the application password you've set.
 1. Save the configuration file.
 1. [Reconfigure](../restart_gitlab.md#reconfigure-a-linux-package-installation) (Linux package installations) or
-   [restart](../restart_gitlab.md#installations-from-source) (self-compiled installations) for the changes to take effect.
+   [restart](../restart_gitlab.md#self-compiled-installations) (self-compiled installations) for the changes to take effect.
 
 On the sign in page there should now be a Crowd tab in the sign in form.
 
diff --git a/doc/administration/auth/index.md b/doc/administration/auth/index.md
index 4a8e230a944..4e96cdf0411 100644
--- a/doc/administration/auth/index.md
+++ b/doc/administration/auth/index.md
@@ -19,7 +19,7 @@ and the following external authentication and authorization providers:
 NOTE:
 UltraAuth has removed their software which supports OmniAuth integration. We have therefore removed all references to UltraAuth integration.
 
-## SaaS vs Self-Managed Comparison
+## SaaS vs self-managed comparison
 
 The external authentication and authorization providers may support the following capabilities.
 For more information, see the links shown on this page for each external provider.
diff --git a/doc/administration/auth/jwt.md b/doc/administration/auth/jwt.md
index 9a74064136a..9f95682fc47 100644
--- a/doc/administration/auth/jwt.md
+++ b/doc/administration/auth/jwt.md
@@ -5,7 +5,7 @@ group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
 ---
 
-# JWT OmniAuth provider **(FREE SELF)**
+# Use JWT as an OAuth 2.0 authentication provider **(FREE SELF)**
 
 To enable the JWT OmniAuth provider, you must register your application with JWT.
 JWT provides you with a secret key for you to use.
@@ -77,7 +77,7 @@ JWT provides you with a secret key for you to use.
 1. Save the configuration file.
 1. For changes to take effect, if you:
    - Used the Linux package to install GitLab, [reconfigure GitLab](../restart_gitlab.md#reconfigure-a-linux-package-installation).
-   - Self-compiled your GitLab installation, [restart GitLab](../restart_gitlab.md#installations-from-source).
+   - Self-compiled your GitLab installation, [restart GitLab](../restart_gitlab.md#self-compiled-installations).
 
 On the sign in page there should now be a JWT icon below the regular sign in form.
 Select the icon to begin the authentication process. JWT asks the user to
diff --git a/doc/administration/auth/ldap/google_secure_ldap.md b/doc/administration/auth/ldap/google_secure_ldap.md
index d484059c79f..388288bbe49 100644
--- a/doc/administration/auth/ldap/google_secure_ldap.md
+++ b/doc/administration/auth/ldap/google_secure_ldap.md
@@ -210,7 +210,7 @@ For self-compiled installations:
              -----END PRIVATE KEY-----
    ```
 
-1. Save the file and [restart](../../restart_gitlab.md#installations-from-source) GitLab for the changes to take effect.
+1. Save the file and [restart](../../restart_gitlab.md#self-compiled-installations) GitLab for the changes to take effect.
 
 ## Using encrypted credentials
 
diff --git a/doc/administration/auth/ldap/index.md b/doc/administration/auth/ldap/index.md
index 1905a009eb6..746d1f6b7fd 100644
--- a/doc/administration/auth/ldap/index.md
+++ b/doc/administration/auth/ldap/index.md
@@ -90,7 +90,7 @@ Here's an example of setting up LDAP with only the required options.
        'port' => 636,
        'uid' => 'sAMAccountName',
        'encryption' => 'simple_tls',
-       'base' => 'dc=example,dc=com',
+       'base' => 'dc=example,dc=com'
      }
    }
    ```
@@ -155,7 +155,7 @@ For more information, see
                'port' => 636,
                'uid' => 'sAMAccountName',
                'encryption' => 'simple_tls',
-               'base' => 'dc=example,dc=com',
+               'base' => 'dc=example,dc=com'
              }
            }
    ```
@@ -237,7 +237,8 @@ These configuration settings are available:
 
 ### SSL configuration settings
 
-These SSL configuration settings are available:
+SSL configuration settings can be configured under `tls_options` name/value
+pairs. The following SSL configuration settings are available:
 
 | Setting       | Description | Required | Examples |
 |---------------|-------------|----------|----------|
@@ -247,6 +248,143 @@ These SSL configuration settings are available:
 | `cert`        | Client certificate. | **{dotted-circle}** No | `'-----BEGIN CERTIFICATE----- <REDACTED> -----END CERTIFICATE -----'` |
 | `key`         | Client private key. | **{dotted-circle}** No | `'-----BEGIN PRIVATE KEY----- <REDACTED> -----END PRIVATE KEY -----'` |
 
+The examples below illustrate how to set `ca_file` and `ssl_version` in `tls_options`:
+
+::Tabs
+
+:::TabTitle Linux package (Omnibus)
+
+1. Edit `/etc/gitlab/gitlab.rb`:
+
+   ```ruby
+   gitlab_rails['ldap_enabled'] = true
+   gitlab_rails['ldap_servers'] = {
+     'main' => {
+       'label' => 'LDAP',
+       'host' =>  'ldap.mydomain.com',
+       'port' => 636,
+       'uid' => 'sAMAccountName',
+       'encryption' => 'simple_tls',
+       'base' => 'dc=example,dc=com'
+       'tls_options' => {
+         'ca_file' => '/path/to/ca_file.pem',
+         'ssl_version' => 'TLSv1_2'
+       }
+     }
+   }
+   ```
+
+1. Save the file and reconfigure GitLab:
+
+   ```shell
+   sudo gitlab-ctl reconfigure
+   ```
+
+:::TabTitle Helm chart (Kubernetes)
+
+1. Export the Helm values:
+
+   ```shell
+   helm get values gitlab > gitlab_values.yaml
+   ```
+
+1. Edit `gitlab_values.yaml`:
+
+   ```yaml
+   global:
+     appConfig:
+       ldap:
+         servers:
+           main:
+             label: 'LDAP'
+             host: 'ldap.mydomain.com'
+             port: 636
+             uid: 'sAMAccountName'
+             base: 'dc=example,dc=com'
+             encryption: 'simple_tls'
+             tls_options:
+               ca_file: '/path/to/ca_file.pem'
+               ssl_version: 'TLSv1_2'
+   ```
+
+1. Save the file and apply the new values:
+
+   ```shell
+   helm upgrade -f gitlab_values.yaml gitlab gitlab/gitlab
+   ```
+
+For more information, see
+[how to configure LDAP for a GitLab instance that was installed by using the Helm chart](https://docs.gitlab.com/charts/charts/globals.html#ldap).
+
+:::TabTitle Docker
+
+1. Edit `docker-compose.yml`:
+
+   ```yaml
+   version: "3.6"
+   services:
+     gitlab:
+       image: 'gitlab/gitlab-ee:latest'
+       restart: always
+       hostname: 'gitlab.example.com'
+       environment:
+         GITLAB_OMNIBUS_CONFIG: |
+           gitlab_rails['ldap_enabled'] = true
+           gitlab_rails['ldap_servers'] = {
+             'main' => {
+               'label' => 'LDAP',
+               'host' =>  'ldap.mydomain.com',
+               'port' => 636,
+               'uid' => 'sAMAccountName',
+               'encryption' => 'simple_tls',
+               'base' => 'dc=example,dc=com',
+               'tls_options' => {
+                 'ca_file' => '/path/to/ca_file.pem',
+                 'ssl_version' => 'TLSv1_2'
+               }
+             }
+           }
+   ```
+
+1. Save the file and restart GitLab:
+
+   ```shell
+   docker compose up -d
+   ```
+
+:::TabTitle Self-compiled (source)
+
+1. Edit `/home/git/gitlab/config/gitlab.yml`:
+
+   ```yaml
+   production: &base
+     ldap:
+       enabled: true
+       servers:
+         main:
+           label: 'LDAP'
+           host: 'ldap.mydomain.com'
+           port: 636
+           uid: 'sAMAccountName'
+           encryption: 'simple_tls'
+           base: 'dc=example,dc=com'
+           tls_options:
+             ca_file: '/path/to/ca_file.pem'
+             ssl_version: 'TLSv1_2'
+   ```
+
+1. Save the file and restart GitLab:
+
+   ```shell
+   # For systems running systemd
+   sudo systemctl restart gitlab.target
+
+   # For systems running SysV init
+   sudo service gitlab restart
+   ```
+
+::EndTabs
+
 ### Attribute configuration settings
 
 GitLab uses these LDAP attributes to create an account for the LDAP user. The specified
diff --git a/doc/administration/auth/oidc.md b/doc/administration/auth/oidc.md
index d48de109bd0..8ef95872ad4 100644
--- a/doc/administration/auth/oidc.md
+++ b/doc/administration/auth/oidc.md
@@ -5,7 +5,7 @@ group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
 ---
 
-# OpenID Connect OmniAuth provider **(FREE SELF)**
+# Use OpenID Connect as an OAuth 2.0 authentication provider **(FREE SELF)**
 
 GitLab can use [OpenID Connect](https://openid.net/specs/openid-connect-core-1_0.html)
 as an OmniAuth provider.
@@ -22,7 +22,7 @@ The OpenID Connect provides you with a client's details and secret for you to us
    sudo editor /etc/gitlab/gitlab.rb
    ```
 
-   For installations from source:
+   For self-compiled installations:
 
    ```shell
    cd /home/git/gitlab
@@ -187,7 +187,7 @@ The OpenID Connect provides you with a client's details and secret for you to us
 1. For changes to take effect, if you:
 
    - Used the Linux package to install GitLab, [reconfigure GitLab](../restart_gitlab.md#reconfigure-a-linux-package-installation).
-   - Self-compiled your GitLab installation, [restart GitLab](../restart_gitlab.md#installations-from-source).
+   - Self-compiled your GitLab installation, [restart GitLab](../restart_gitlab.md#self-compiled-installations).
 
 On the sign in page, you have an OpenID Connect option below the regular sign in form.
 Select this option to begin the authentication process. The OpenID Connect provider
@@ -581,7 +581,7 @@ gitlab_rails['omniauth_providers'] = [
 ]
 ```
 
-Example installations from source configuration (file path: `config/gitlab.yml`):
+Example configuration for self-compiled installations (file path: `config/gitlab.yml`):
 
 ```yaml
   - { name: 'openid_connect', # do not change this parameter
@@ -750,7 +750,7 @@ def sync_missing_provider(self, user: User, extern_uid: str)
 
 For more information, see the [GitLab API user method documentation](https://python-gitlab.readthedocs.io/en/stable/gl_objects/users.html#examples).
 
-## Configure users based on OIDC group membership **(PREMIUM)**
+## Configure users based on OIDC group membership **(PREMIUM ALL)**
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/209898) in GitLab 15.10.
 
@@ -774,7 +774,9 @@ response to require users to be members of a certain group, configure GitLab to
 
 If you do not set `required_groups` or leave the setting empty, any user authenticated by the IdP through OIDC can use GitLab.
 
-For Linux package installations:
+::Tabs
+
+:::TabTitle Linux package (Omnibus)
 
 1. Edit `/etc/gitlab/gitlab.rb`:
 
@@ -808,7 +810,7 @@ For Linux package installations:
 1. Save the file and [reconfigure GitLab](../restart_gitlab.md#reconfigure-a-linux-package-installation)
    for the changes to take effect.
 
-For self-compiled installations:
+:::TabTitle Self-compiled (source)
 
 1. Edit `/home/git/gitlab/config/gitlab.yml`:
 
@@ -839,9 +841,11 @@ For self-compiled installations:
        }
    ```
 
-1. Save the file and [reconfigure GitLab](../restart_gitlab.md#installations-from-source)
+1. Save the file and [reconfigure GitLab](../restart_gitlab.md#self-compiled-installations)
    for the changes to take effect.
 
+::EndTabs
+
 ### External groups
 
 Your IdP must pass group information to GitLab in the OIDC response. To use this
@@ -853,7 +857,9 @@ based on group membership, configure GitLab to identify:
   [external user](../external_users.md), using the
  `external_groups` setting.
 
-For Linux package installations:
+::Tabs
+
+:::TabTitle Linux package (Omnibus)
 
 1. Edit `/etc/gitlab/gitlab.rb`:
 
@@ -887,7 +893,7 @@ For Linux package installations:
 1. Save the file and [reconfigure GitLab](../restart_gitlab.md#reconfigure-a-linux-package-installation)
    for the changes to take effect.
 
-For self-compiled installations:
+:::TabTitle Self-compiled (source)
 
 1. Edit `/home/git/gitlab/config/gitlab.yml`:
 
@@ -918,9 +924,11 @@ For self-compiled installations:
        }
    ```
 
-1. Save the file and [reconfigure GitLab](../restart_gitlab.md#installations-from-source)
+1. Save the file and [reconfigure GitLab](../restart_gitlab.md#self-compiled-installations)
    for the changes to take effect.
 
+::EndTabs
+
 ### Auditor groups **(PREMIUM SELF)**
 
 Your IdP must pass group information to GitLab in the OIDC response. To use this
@@ -930,7 +938,9 @@ response to assign users as auditors based on group membership, configure GitLab
 - Which group memberships grant the user auditor access, using the `auditor_groups`
   setting.
 
-For Linux package installations:
+::Tabs
+
+:::TabTitle Linux package (Omnibus)
 
 1. Edit `/etc/gitlab/gitlab.rb`:
 
@@ -964,7 +974,7 @@ For Linux package installations:
 1. Save the file and [reconfigure GitLab](../restart_gitlab.md#reconfigure-a-linux-package-installation)
    for the changes to take effect.
 
-For self-compiled installations:
+:::TabTitle Self-compiled (source)
 
 1. Edit `/home/git/gitlab/config/gitlab.yml`:
 
@@ -995,9 +1005,11 @@ For self-compiled installations:
        }
    ```
 
-1. Save the file and [reconfigure GitLab](../restart_gitlab.md#installations-from-source)
+1. Save the file and [reconfigure GitLab](../restart_gitlab.md#self-compiled-installations)
    for the changes to take effect.
 
+::EndTabs
+
 ### Administrator groups
 
 Your IdP must pass group information to GitLab in the OIDC response. To use this
@@ -1007,7 +1019,9 @@ response to assign users as administrator based on group membership, configure G
 - Which group memberships grant the user administrator access, using the
  `admin_groups` setting.
 
-For Linux package installations:
+::Tabs
+
+:::TabTitle Linux package (Omnibus)
 
 1. Edit `/etc/gitlab/gitlab.rb`:
 
@@ -1041,7 +1055,7 @@ For Linux package installations:
 1. Save the file and [reconfigure GitLab](../restart_gitlab.md#reconfigure-a-linux-package-installation)
    for the changes to take effect.
 
-For self-compiled installations:
+:::TabTitle Self-compiled (source)
 
 1. Edit `/home/git/gitlab/config/gitlab.yml`:
 
@@ -1072,9 +1086,11 @@ For self-compiled installations:
        }
    ```
 
-1. Save the file and [reconfigure GitLab](../restart_gitlab.md#installations-from-source)
+1. Save the file and [reconfigure GitLab](../restart_gitlab.md#self-compiled-installations)
    for the changes to take effect.
 
+::EndTabs
+
 ## Troubleshooting
 
 1. Ensure `discovery` is set to `true`. If you set it to `false`, you must
diff --git a/doc/administration/auth/smartcard.md b/doc/administration/auth/smartcard.md
index 5802db78dd6..1662639dd29 100644
--- a/doc/administration/auth/smartcard.md
+++ b/doc/administration/auth/smartcard.md
@@ -230,7 +230,7 @@ For self-compiled installations:
    Assign a value to at least one of the following variables:
    `client_certificate_required_host` or `client_certificate_required_port`.
 
-1. Save the file and [restart](../restart_gitlab.md#installations-from-source)
+1. Save the file and [restart](../restart_gitlab.md#self-compiled-installations)
    GitLab for the changes to take effect.
 
 ### Additional steps when using SAN extensions
@@ -260,7 +260,7 @@ For self-compiled installations:
       san_extensions: true
    ```
 
-1. Save the file and [restart](../restart_gitlab.md#installations-from-source)
+1. Save the file and [restart](../restart_gitlab.md#self-compiled-installations)
    GitLab for the changes to take effect.
 
 ### Additional steps when authenticating against an LDAP server
@@ -297,7 +297,7 @@ For self-compiled installations:
            smartcard_auth: optional
    ```
 
-1. Save the file and [restart](../restart_gitlab.md#installations-from-source)
+1. Save the file and [restart](../restart_gitlab.md#self-compiled-installations)
    GitLab for the changes to take effect.
 
 ### Require browser session with smartcard sign-in for Git access
@@ -325,7 +325,7 @@ For self-compiled installations:
      required_for_git_access: true
    ```
 
-1. Save the file and [restart](../restart_gitlab.md#installations-from-source)
+1. Save the file and [restart](../restart_gitlab.md#self-compiled-installations)
    GitLab for the changes to take effect.
 
 ## Passwords for users created via smartcard authentication
diff --git a/doc/administration/auth/test_oidc_oauth.md b/doc/administration/auth/test_oidc_oauth.md
index 95cca1ced86..be0ea5c963e 100644
--- a/doc/administration/auth/test_oidc_oauth.md
+++ b/doc/administration/auth/test_oidc_oauth.md
@@ -4,7 +4,7 @@ group: Authentication and Authorization
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments
 ---
 
-# Test OIDC/OAuth in GitLab **(FREE)**
+# Test OIDC/OAuth in GitLab **(FREE SELF)**
 
 To test OIDC/OAuth in GitLab, you must: